From 37828c0968ec2931402ead7540270c9efa196489 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Sun, 24 Sep 2023 22:50:09 +0200 Subject: [PATCH] Pass NameIterator to verification functions --- src/end_entity.rs | 12 ++++++--- src/subject_name/dns_name.rs | 4 +-- src/subject_name/ip_address.rs | 46 ++++++++++++++-------------------- 3 files changed, 30 insertions(+), 32 deletions(-) diff --git a/src/end_entity.rs b/src/end_entity.rs index 8b3ae61d..ec21f27d 100644 --- a/src/end_entity.rs +++ b/src/end_entity.rs @@ -18,7 +18,7 @@ use pki_types::{CertificateDer, SignatureVerificationAlgorithm, TrustAnchor, Uni use crate::crl::RevocationOptions; use crate::error::Error; -use crate::subject_name::SubjectNameRef; +use crate::subject_name::{NameIterator, SubjectNameRef}; use crate::verify_cert::{self, KeyUsage}; use crate::{cert, signed_data}; @@ -110,8 +110,14 @@ impl<'a> EndEntityCert<'a> { subject_name: SubjectNameRef, ) -> Result<(), Error> { match subject_name { - SubjectNameRef::DnsName(dns_name) => dns_name.verify_cert_dns_name(self), - SubjectNameRef::IpAddress(ip_address) => ip_address.verify_cert_ip_addresses(self), + SubjectNameRef::DnsName(dns_name) => dns_name.verify_dns_names(NameIterator::new( + Some(self.inner.subject), + self.inner.subject_alt_name, + )), + // IP addresses are not compared against the subject field; + // only against Subject Alternative Names. + SubjectNameRef::IpAddress(ip_address) => ip_address + .verify_ip_address_names(NameIterator::new(None, self.inner.subject_alt_name)), } } diff --git a/src/subject_name/dns_name.rs b/src/subject_name/dns_name.rs index 4a43db0d..8e0c5ed8 100644 --- a/src/subject_name/dns_name.rs +++ b/src/subject_name/dns_name.rs @@ -85,9 +85,9 @@ impl<'a> DnsNameRef<'a> { Self::try_from_ascii(dns_name.as_bytes()) } - pub(crate) fn verify_cert_dns_name(&self, cert: &crate::EndEntityCert) -> Result<(), Error> { + pub(crate) fn verify_dns_names(&self, mut names: NameIterator<'_>) -> Result<(), Error> { let dns_name = untrusted::Input::from(self.as_str().as_bytes()); - NameIterator::new(Some(cert.subject), cert.subject_alt_name) + names .find_map(|result| { let name = match result { Ok(name) => name, diff --git a/src/subject_name/ip_address.rs b/src/subject_name/ip_address.rs index da2c01bb..af7e8670 100644 --- a/src/subject_name/ip_address.rs +++ b/src/subject_name/ip_address.rs @@ -52,38 +52,30 @@ pub enum IpAddrRef<'a> { } impl<'a> IpAddrRef<'a> { - pub(crate) fn verify_cert_ip_addresses( - &self, - cert: &crate::EndEntityCert, - ) -> Result<(), Error> { + pub(crate) fn verify_ip_address_names(&self, mut names: NameIterator<'_>) -> Result<(), Error> { let ip_address = match self { IpAddrRef::V4(_, ref ip_address_octets) => untrusted::Input::from(ip_address_octets), IpAddrRef::V6(_, ref ip_address_octets) => untrusted::Input::from(ip_address_octets), }; - NameIterator::new( - // IP addresses are not compared against the subject field; - // only against Subject Alternative Names. - None, - cert.subject_alt_name, - ) - .find_map(|result| { - let name = match result { - Ok(name) => name, - Err(err) => return Some(Err(err)), - }; - - let presented_id = match name { - GeneralName::IpAddress(presented) => presented, - _ => return None, - }; - - match presented_id_matches_reference_id(presented_id, ip_address) { - true => Some(Ok(())), - false => None, - } - }) - .unwrap_or(Err(Error::CertNotValidForName)) + names + .find_map(|result| { + let name = match result { + Ok(name) => name, + Err(err) => return Some(Err(err)), + }; + + let presented_id = match name { + GeneralName::IpAddress(presented) => presented, + _ => return None, + }; + + match presented_id_matches_reference_id(presented_id, ip_address) { + true => Some(Ok(())), + false => None, + } + }) + .unwrap_or(Err(Error::CertNotValidForName)) } }